[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames

Lance Bragstad lbragstad at gmail.com
Mon Dec 17 19:58:56 UTC 2018 

** Description changed:

  The response times for POST /v3/auth/tokens are significantly higher for
  valid usernames compared to those of invalid ones, making it possible to
  enumerate users on the system.
  
  Examples:
  
  # For invalid username
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 141
  Content-Type: application/json
  
- {"auth":{"identity":{"methods": ["password"],"password":{"user":{"name":
- "nonexisting","domain":{"name": "Default"},"password": "devstacker"}}}}}
+ {  
+    "auth":{  
+       "identity":{  
+          "methods":[  
+             "password"
+          ],
+          "password":{  
+             "user":{  
+                "name":"nonexisting",
+                "domain":{  
+                   "name":"Default"
+                },
+                "password":"devstacker"
+             }
+          }
+       }
+    }
+ }
  
  + Response Time: <150ms
  
  # For valid username ('admin' in this case)
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 139
  Content-Type: application/json
  
- {"auth":{"identity":{"methods": ["password"],"password":{"user":{"name":
- "admin","domain":{"name": "Default"},"password": "devstacker"}}}}}
+ {  
+    "auth":{  
+       "identity":{  
+          "methods":[  
+             "password"
+          ],
+          "password":{  
+             "user":{  
+                "name":"admin",
+                "domain":{  
+                   "name":"Default"
+                },
+                "password":"devstacker"
+             }
+          }
+       }
+    }
+ }
  
  + Response time: >600ms
  
  # Tested version
  v3.8
  
  [UPDATE 3 Oct 2018 5:01 AEST]
  Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
  * With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
- * Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognisable with a good sample size.
+ * Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognizable with a good sample size.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800

Title:
  Timing oracle in core auth plugin simplifies brute-forcing usernames

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The response times for POST /v3/auth/tokens are significantly higher
  for valid usernames compared to those of invalid ones, making it
  possible to enumerate users on the system.

  Examples:

  # For invalid username
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 141
  Content-Type: application/json

  {  
     "auth":{  
        "identity":{  
           "methods":[  
              "password"
           ],
           "password":{  
              "user":{  
                 "name":"nonexisting",
                 "domain":{  
                    "name":"Default"
                 },
                 "password":"devstacker"
              }
           }
        }
     }
  }

  + Response Time: <150ms

  # For valid username ('admin' in this case)
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 139
  Content-Type: application/json

  {  
     "auth":{  
        "identity":{  
           "methods":[  
              "password"
           ],
           "password":{  
              "user":{  
                 "name":"admin",
                 "domain":{  
                    "name":"Default"
                 },
                 "password":"devstacker"
              }
           }
        }
     }
  }

  + Response time: >600ms

  # Tested version
  v3.8

  [UPDATE 3 Oct 2018 5:01 AEST]
  Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
  * With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
  * Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognizable with a good sample size.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions

More information about the Openstack-security mailing list